Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-03-17
  • Author: Rod Soto, Teoderick Contreras, Splunk
  • ID: 5a6f6849-1a26-4fae-aa05-fa730556eeb6

Narrative

Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.

Detections

Name Technique Type
Clop Common Exec Parameter User Execution TTP
Clop Ransomware Known Service Name Create or Modify System Process TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Create Service In Suspicious File Path System Services, Service Execution TTP
Deleting Shadow Copies Inhibit System Recovery TTP
High File Deletion Frequency Data Destruction Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Process Deleting Its Process File Path Indicator Removal on Host TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Resize ShadowStorage volume Inhibit System Recovery TTP
Resize Shadowstorage Volume Service Stop TTP
Suspicious Event Log Service Behavior Indicator Removal on Host, Clear Windows Event Logs TTP
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal on Host TTP
WevtUtil Usage To Clear Logs Indicator Removal on Host, Clear Windows Event Logs TTP
Windows Event Log Cleared Indicator Removal on Host, Clear Windows Event Logs TTP

Reference

source | version: 1